web3
Safeguard articles tagged "web3" — guides, analysis, and best practices for software supply chain and application security.
7 articles
Ledger Connect Kit December 2023: A CDN Attack Retrospective
The Ledger Connect Kit compromise was a five-hour CDN attack that drained roughly $600k from connected wallets. A look at how it happened and what defenders learned.
xrpl.js npm Backdoor April 2025 Incident Analysis
A stolen Ripple-adjacent npm token pushed key-stealing versions of xrpl.js. Timeline, payload structure, and what XRPL integrators should do next.
Solana web3.js npm Backdoor: Dec 2024 Post-Mortem
A phished maintainer token pushed a private-key-stealing backdoor into @solana/web3.js 1.95.6/1.95.7. Full mechanics and post-incident recommendations.
Ledger Connect Kit Attack: What Devs Missed
A phishing-obtained GitHub token published a wallet drainer as @ledgerhq/connect-kit in Dec 2023. What the incident tells us about Web3 supply chain trust.
Lottie Player npm Supply Chain Attack Explained
A leaked maintainer token published three trojanized versions of @lottiefiles/lottie-player to npm, targeting wallet drains. Here is the mechanics.
faster_log and async_println: Rust's First Public Wallet-Stealing Crates
On September 24, 2025, crates.io removed faster_log and async_println — Rust typosquats that had quietly stolen Ethereum and Solana keys from 8,424 downloads since May.
Web3 Smart Contract Dependencies: A Supply Chain Security Blind Spot
Smart contracts import code from unaudited libraries, creating supply chain risks that have already led to billions in losses. The Web3 ecosystem needs better tooling.